SSL双向认证(一)

1.
下载安装openSSL
(Linux)https://www.openssl.org/source/
(Windows)http://gnuwin32.sourceforge.net/packages/openssl.htm
(Windows)http://slproweb.com/products/Win32OpenSSL.html
配置环境
C:\Program Files\OpenSSL-Win64\bin

2.
创建CA私钥
openssl genrsa -out E:/Myca/ca-key.pem 1024

3.
创建证书请求
openssl req -new -out E:/Myca/ca-req.csr -key E:/Myca/ca-key.pem -config openssl.cnf
(C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf 没有自己去找样例的默认配置)

在YOUR name 处一定要填写项目布置服务器所属域名或ip地址

Country Name (2 letter code) [AU]:ch
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:alibaba
Organizational Unit Name (eg, section) []:alibabasoft
Common Name (e.g. server FQDN or YOUR name) []:192.168.134.96
Email Address []:[email protected]

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:alibaba

4.
自签署证书
openssl x509 -req -in E:/Myca/ca-req.csr -out E:/Myca/ca-cert.pem -signkey E:/Myca/ca-key.pem -days 3650

Signature ok
subject=C = ch, ST = shanghai, L = shanghai, O = alibaba, OU = alibabasoft, CN =192.168.134.96,
emailAddress = [email protected]
Getting Private key

5.
导出ca证书(包含密钥)
openssl pkcs12 -export -clcerts -in E:/Myca/ca-cert.pem -inkey E:/Myca/ca-key.pem -out E:/Myca/ca.p12
导出ca证书(不含密钥)
openssl pkcs12 -export -nokeys -clcerts -in E:/Myca/ca-cert.pem -inkey E:/Myca/ca-key.pem -out E:/Myca/ca.p12

C:\Users\jack>openssl pkcs12 -export -nokeys -clcerts -in E:/Myca/ca-cert.pem -in
key E:/Myca/ca-key.pem -out E:/Myca/ca.p12
Enter Export Password:
Verifying - Enter Export Password:

注册服务端证书:

1.
创建服务端密钥库,别名:server,validity:有效期365天,密钥:算法RSA,storepass:密钥库密码,keypass:别名条码密码。
keytool -genkey -alias server -validity 3650 -keyalg RSA -keysize 1024 -keypass 123456 -storepass 123456 -keystore E:/Myca/server/server.jks

在名字和姓氏处填写项目布置服务器所属域名或ip地址。

C:\Users\jack>keytool -genkey -alias server -validity 3650 -keyalg RSA -keysize 1
024 -keypass 123456 -storepass 123456 -keystore E:/Myca/server/server.jks
您的名字与姓氏是什么?
192.168.134.96
您的组织单位名称是什么?
alibaba
您的组织名称是什么?
alibabasoft
您所在的城市或区域名称是什么?
shanghai
您所在的省/市/自治区名称是什么?
shanghai
该单位的双字母国家/地区代码是什么?
ch
CN=192.168.134.96, OU=alibaba, O=alibabasoft, L=shanghai, ST=shanghai, C=ch是否正确?
Y

2.
生成服务端证书
keytool -certreq -alias server -sigalg MD5withRSA -file E:/Myca/server/server.csr -keypass 123456 -keystore E:/Myca/server/server.jks -storepass 123456
(Keytool 在jdk bin目录下)

3.
使用CA的密钥生成服务端密钥,使用CA签证
openssl x509 -req -in E:/Myca/server/server.csr -out E:/Myca/server/server.pem -CA E:/Myca/ca-cert.pem -CAkey E:/Myca/ca-key.pem -days 3650 -set_serial 1

C:\Users\jack>openssl x509 -req -in E:/Myca/server/server.csr -out E:/Myca/server
/server.pem -CA E:/Myca/ca-cert.pem -CAkey E:/Myca/ca-key.pem -days 3650 -set_se
rial 1
Signature ok
subject=C = ch, ST = shanghai, L = shanghai, O = alibabasoft, OU = alibaba, CN = 192.168.134.96
Getting CA Private Key

4.
使密钥库信任证书
keytool -import -v -trustcacerts -keypass 123456 -storepass 123456 -alias root -file E:/Myca/ca-cert.pem -keystore E:/Myca/server/server.jks

C:\Users\jack>keytool -import -v -trustcacerts -keypass 123456 -storepass 123456
-alias root -file E:/Myca/ca-cert.pem -keystore E:/Myca/server/server.jks
所有者: [email protected], CN=192.168.134.96, OU=alibabasoft, O=alib
aba, L=shanghai, ST=shanghai, C=ch
发布者: [email protected], CN=192.168.134.96, OU=alibabasoft, O=alib
aba, L=shanghai, ST=shanghai, C=ch
序列号: 8c14079cfc3c8c6d
有效期开始日期: Thu Aug 16 11:22:13 CST 2018, 截止日期: Sun Aug 13 11:22:13 CST
2028
证书指纹:
MD5: AE:FB:B9:F0:62:A1:2E:B4:99:FA:71:75:33:9E:51:5F
SHA1: 55:85:B9:8D:54:FA:B4:54:2A:03:83:13:86:11:DB:E8:6A:77:B3:68
SHA256: 6E:A3:7E:62:50:B4:C9:11:E6:6B:8C:40:15:66:CC:E2:EB:BF:7C:03:71:
FE:D6:A3:6B:91:3A:B0:D9:72:5C:64
签名算法名称: SHA256withRSA
版本: 1
是否信任此证书? [否]: Y
证书已添加到密钥库中
[正在存储E:/Myca/server/server.jks]

5.
将证书回复安装在密钥库中
keytool -import -v -trustcacerts -storepass 123456 -alias server -file E:/Myca/server/server.pem -keystore E:/Myca/server/server.jks

C:\Users\jack>keytool -import -v -trustcacerts -storepass 123456 -alias server -f
ile E:/Myca/server/server.pem -keystore E:/Myca/server/server.jks
证书回复已安装在密钥库中
[正在存储E:/Myca/server/server.jks]

6.
生成服务端servertrust.jks信任库
keytool -import -alias server-ca-trustcacerts -file E:/Myca/ca-cert.pem -keystore E:/Myca/server/servertrust.jks

C:\Users\jack>keytool -import -alias server-ca-trustcacerts -file E:/Myca/ca-cert
.pem -keystore E:/Myca/server/servertrust.jks
输入密钥库口令:
再次输入新口令:
所有者: [email protected], CN=192.168.134.96, OU=alibabasoft, O=alib
aba, L=shanghai, ST=shanghai, C=ch
发布者: [email protected], CN=192.168.134.96, OU=alibabasoft, O=alib
aba, L=shanghai, ST=shanghai, C=ch
序列号: 8c14079cfc3c8c6d
有效期开始日期: Thu Aug 16 11:22:13 CST 2018, 截止日期: Sun Aug 13 11:22:13 CST
2028
证书指纹:
MD5: AE:FB:B9:F0:62:A1:2E:B4:99:FA:71:75:33:9E:51:5F
SHA1: 55:85:B9:8D:54:FA:B4:54:2A:03:83:13:86:11:DB:E8:6A:77:B3:68
SHA256: 6E:A3:7E:62:50:B4:C9:11:E6:6B:8C:40:15:66:CC:E2:EB:BF:7C:03:71:
FE:D6:A3:6B:91:3A:B0:D9:72:5C:64
签名算法名称: SHA256withRSA
版本: 1
是否信任此证书? [否]: Y
证书已添加到密钥库中

注册客户端证书

1.
创建客户端密钥,指定用户名,下列命令中的user将替换为颁发证书的用户名
openssl genrsa -out E:/Myca/client/user-key.pem 1024

2.
openssl req -new -out E:/Myca/client/user-req.csr -key E:/Myca/client/user-key.pem

C:\Users\jack>openssl req -new -out E:/Myca/client/user-req.csr -key E:/Myca/client/user-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:ch
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:alibaba
Organizational Unit Name (eg, section) []:alibabasoft
Common Name (e.g. server FQDN or YOUR name) []:192.168.134.96
Email Address []:[email protected]

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:unkown

3.
生成对应用户名的客户端证书,并使用CA签证
openssl x509 -req -in E:/Myca/client/user-req.csr -out E:/Myca/client/user-cert.pem -signkey E:/Myca/client/user-key.pem -CA E:/Myca/ca-cert.pem -CAkey E:/Myca/ca-key.pem -CAcreateserial -days 3650

C:\Users\jack>openssl x509 -req -in E:/Myca/client/user-req.csr -out E:/Myca/clie
nt/user-cert.pem -signkey E:/Myca/client/user-key.pem -CA E:/Myca/ca-cert.pem -C
Akey E:/Myca/ca-key.pem -CAcreateserial -days 3650
Signature ok
subject=C = ch, ST = shanghai, L = shanghai, O = alibaba, OU = alibabasoft, CN =
192.168.134.96, emailAddress = [email protected]
Getting Private key
Getting CA Private Key

4.
将签证之后的证书文件user-cert.pem导出为p12格式文件(p12格式可以被浏览器识别并安装到证书库中)

C:\Users\jack>openssl pkcs12 -export -clcerts -in E:/Myca/client/user-cert.pem -inkey E:/Myca/client/user-key.pem -out E:/Myca/client/user.p12
Enter Export Password:
Verifying - Enter Export Password:

5.
将签证之后的证书文件user-cert.pem导入至信任秘钥库中(这里由于没有去ca认证中心购买个人证书,所以只有导入信任库才可进行双向ssl交互

E:\Program Files\java\bin>keytool -import -alias user -trustcacerts -file E:/Myca/client/user-cert.pem -keystore E:/Myca/server/servertrust.jks
输入密钥库口令:
证书已添加到密钥库中

6.
E:\Program Files\java\bin>keytool -list -v -alias user -keystore E:/Myca/server/servertrust.jks -storepass 123456
别名: user
创建日期: 2018-8-20
条目类型: trustedCertEntry

所有者: [email protected], CN=192.168.134.96, OU=alibabasoft, O=alibaba
, L=shanghai, ST=shanghai, C=ch
发布者: [email protected], CN=192.168.134.96, OU=alibabasoft, O=alib
aba, L=shanghai, ST=shanghai, C=ch
序列号: 967626e1c519a369
有效期开始日期: Thu Aug 16 18:05:15 CST 2018, 截止日期: Sun Aug 13 18:05:15 CST
2028
证书指纹:
MD5: DF:D6:AC:94:38:6F:FC:DC:6A:A6:6F:58:9C:6F:CE:44
SHA1: 43:53:7E:53:E3:8F:E9:9F:B0:ED:A0:ED:A4:02:0A:EE:2C:F9:0B:F5
SHA256: BF:3B:C4:CA:55:A5:0D:39:55:69:AA:99:DE:C0:B2:C2:D0:14:18:45:F5:
9F:D4:8D:05:D2:F9:33:A7:49:DC:4C
签名算法名称: SHA256withRSA
版本: 1

<转 : https://blog.csdn.net/lizhi_java/article/details/42875439>

你可能感兴趣的:(SSL双向认证(一))